NIST's cyber framework moves toward implementation stage

Jason Miller reports.

After eight months, the National Institute of Standards and Technology Tuesday
released the cybersecurity framework for critical infrastructure providers.

But now the real work begins. NIST must move from its role of bringing more than
3,000 industry, academics and government experts together to one of persuader with
a goal of making sure companies understand the benefits of implementing the framework.

Part of how NIST, and the government at large, will do that is through incentives.

In August, the White House offered some details on the recommendations provided by
the departments of Homeland Security, Commerce and Treasury as to the areas where
incentives could help adoption of the framework.

A White House official said Tuesday some of the eight potential areas of incentives
determined by the three agencies — insurance, grants, process preference,
liability limitation, streamlined regulations, public recognition, rate recovery
and cybersecurity research — are immediately applicable and would be
implemented now.

Others can only be implemented once the cybersecurity framework is completed, so
the administration will evaluate them in full once the framework is complete, the
official said in an email.

"Agencies are already beginning to work with the insurance industry to develop
groundwork so that the framework can be utilized properly within the current
marketplace and developing the means to use framework adoption as a criteria for
cybersecurity grants," the official said. "Discussing these agency reports
publicly is an interim step and does not indicate the administration's final
policy position on the recommended actions. We will be making more information on
these efforts available as the framework and program are completed."

Multi-step process

Additionally, agencies will review the framework over the next three months. Those
that already regulate industry sectors, such as electricity or banking, will
determine if they have enough regulatory authority.

The White House official said sector-specific and other relevant agencies, most of
which are non-regulatory, are actively working with the Homeland Security
Department to provide information necessary to carry out the responsibilities
under the Executive Order.

NIST's release of the final draft version of the framework is step one of a multi-
step process. It will accept comments over the next few months and then release a
final Version 1.0 in February.

Patrick Gallagher, the director of NIST, said the agency will host the fifth
workshop Nov. 14 to 15 in Raleigh, N.C.

"There we will be seeking one more round of input on the framework, and we will be
discussing options for an industry led governance structure of the framework going
forward," he said during a call with reporters Tuesday. "We continue to work on
the framework after [it's released in February]."

Gallagher said he expects the privacy and civil liberties section of the framework
to draw a lot of comments in November and possibly change the most when NIST
releases version 1.0 in February.

Gallagher said the framework changed little since the August version. He joked
that the final draft version is one of the worst kept secrets in Washington.

The framework provides a common language for organizations to:

Describe their current cybersecurity posture;

Describe their target state for cybersecurity;

Identify and prioritize opportunities for improvement within the context of
risk management;

Assess progress toward the target state;

Foster communications among internal and external stakeholders.

The document is centered around five core functions — identify, protect,
detect, respond and recover — which can provide a high-level, strategic
view of an organization's management of cybersecurity risk.

Under each of these core areas, NIST identified underlying key categories and
subcategories and matched them with examples, such as existing standards,
guidelines and practices for each subcategory.

"The framework, developed in collaboration with industry, provides guidance to an
organization on managing cybersecurity risk," the document stated. "A key
objective of the framework is to encourage organizations to consider cybersecurity
risk as a priority similar to financial, safety, and operational risk while
factoring in larger systemic risks inherent to critical infrastructure."

Not a silver bullet

Gallagher said the framework will mean different things to different sized
organizations.

"The underlying structure of what's needed is the same. The principles are the
same. [All sizes of organizations] need to be able to identify, protect, detect,
respond and recover to and from cyber threats," he said. "The framework provides a
way for these organizations to match up their current efforts with best practices
in these various functional areas and to gauge the maturity of their own
cybersecurity systems."

Gallagher added the framework also gives them a way to set goals through a roadmap
toward better security and lower their risks.